Comments on: Another image-based Captcha method

Captcha the Dog offers a simple yet affective image-based method to fight against computer-generated inputs.

[malexandria1]

I hate Captcha, it's really irritating and annoying you can barely make out the letters and then half the time it's hard to tell if it's case sensitive or if you are supposed to type in 2 sets or 1. It's a Horrible system and I wish websites would stop using it and come up with an alternative method like Askimet which is a seamless system that works really well. I had captcha when we used Drupal and the site got spammed so much that it destroyed our active forums - not to mention all the complaints from users. I eventually switched to WordPress and Askimet and haven't had an issue since. This idea of using pictures of animals is dumb but at least it's easier to understand than the letters/numbers.

[thelemurking]

You are running WordPress and do not get hit by spam? that's pretty impressive... I might need to check out this Askimet.

[malexandria1]

Nope, Askimet does a very good job of catching spam, it catches literally a thousand messages a week on my site. Check it out at http://www.eclipsemagazine.com, no spam in the comments.

[everymahn]

The concept is interesting, but the implementation requires JavaScript to function. Considering that roughly five percent of website visitors have JavaScript disabled, the developers need to implement a non-JavaScript alternative.

Additionally, this technology does nothing to prevent bulk Captcha-bypassing services provided by illicit third parties, who employ actual humans to comprise these filters for mere pennies.

[MadLyb]

So, I should build a whole system for 5% of the Internet?

Better to just require them to turn it on.

[everymahn]

"So, I should build a whole system for 5% of the Internet?"

Spoken like a developer; not a business person.

If you lose five percent of your market because there is no cost-benefit, then fine. Otherwise, ensure that the system works across browsers and operating systems, including non-JavaScript versions. Business is too competitive to leave potential customers outside your door. :)

[FrankTangoAlpha]

A business person caters to the market.
The 5% doesn't have a need for it.
The 5% is not part of the form-filling market.
Javascript is a choice not a privilege.

[c|net Reader]

I use NoScript in Firefox, so JavaScript, among other things, is disabled when I first visit a site to protect me from drive-by downloads and other potential harm. If your site ignores me initially, then I am likely to ignore your site. If I find I can trust your site, or find the content compelling, I may temporarily enable scripts. If the only reason I must enable scripts is to use a mechanism like this for posting, you are likely to lose my business and participation. Can you really afford to turn away the growing number of people like me? When things are prosperous, I suppose you think you can, though you'll find me influence wider than just my visit. When business is slow, you deserve the result.

[FrankTangoAlpha]

So .. you would only temporarily turn on javascript if the content was compelling?

In otherwords, businesses only want your javascript on .. if you find the content compelling.
No loss if you don't.

Maybe you mean something else? I don't understand your argument.

[Binaryzero]

I find that one of the biggest joke I have ever seen, April fools was on the 1st. I went and tried their demo, and I is one of the worst attempts at Captcha. The dog/cat pictures are too small and the idea of playing a silly "whack-a-mole" game to make a post makes me thing what I have to say is not that important.

[codynews]

everymahn: Well, I'm not concerned with such a small % that don't have javascript. There will alwasy be a small % of users that can't do something on a site for whatever reason.

However the routing of captcha's (or other versions of the same thing) to farms of 3rd worlders is interesting. I read an acticle in Wired about that a long time ago (since that's what humans can do that computers can't, then 'computers' would use people for that type of task. Funny (or odd? Sad? Wierd?) that people are actually doing that.

[Cruton502]

The problem I see with this system as compared with the 3d imagining is that this will have a finite pool of images. The 3d system could, in theory, produce an infinite amount of images.

[catch23]

This sounds a lot like ASIRRA from MS Research.
http://research.microsoft.com/en-us/um/redmond/projects/asirra/

[DanielMCMullan]

CaptchaTheDog is different from ASIRRA.

Cat and Dog Recognition Software spamware defeats ASIRRA
And use a KNOWN library of animals already tagged cat and dog.

CaptchaTheDog lets you use your OWN images. Cats and dogs just as an example.
You can use cars and trucks or anything you want.

You just click to prove you are a human. NO squiggly letters. NO rotation of images.

The spammers get fooled by humans randomly feeding images. This is an important difference.

ASIRRA is difficult to use too and takes alot of room on the page.

[SparkyMcSparky]

Another one of the problems with this is it is taking up too much screen space. It is a great start however

[cnetDOTcom]

The one crippling drawback to these methods is they do not account for visually impaired visitors who typically use screen readers. Good captcha systems today feature a way to play an audio file of the text to be entered for this very reason.

[virgilp]

http://portal.acm.org/citation.cfm?id=1455838
An article showing how to distinguish automatically between cats and dogs, with a precision better than 80%. This means that for this particular challenge (max 6-in-a row), you get a ~25% chance of breaking the captcha.
In other words: ineffective!

[DanielMCMullan]

Cats and Dogs are just this example.
You can use any random image library.
The point is to harness human created image libraries to test the bots.

Swapping images is easier than creating new Optical Recognition Software.

Who will give up first?

[Eludium-Q36]

I don't understand something here ... a spambot can't click picture so why should we have to click up to 6 times ?! That's just too onerouse, why can't we just click once maybe twice and be done ? A spambot won't be able to do that.

[FrankTangoAlpha]

5 times in a row is prevent brute-force attacks. 9 to the 5th is greater than 50,000 chances to 1 that a bot can guess correctly. That is why it is randomly served 4 to 6 times. So bots can not learn as to what works.

[marquinhocb]

Only problem here being, unlike the 3D captcha idea, these images aren't generated - they come from a finite source.
By using 3D image generation, the number of possibilities are boundless - you can re-generate or re-render the image as often as you want, using different textures and backgrounds and rotations.
By using static images, you're limited to what, 1000? 10,000 images? It wouldn't be any more difficult for a spammer to catalog the images (faster, actually, than having to find/generate the images) and then simply do a binary image comparison.

[catch23]

In the ASIRRA project from Microsoft Research, they used photos from PetFinder.com.
Over 3 million images, that rotate as animals are adopted.
I think it could be easy enough to prevent a spammer catalog.

[DanielMCMullan]

ASIRRA is hacked:
http://homepages.cs.ncl.ac.uk/jeff.yan/msn_draft.pdf

...and for the same reasons the 3-D concept will be hacked.

if a computer can re-produce an image .. a spam computer can recognize it.

The strength of CAPTCHATHEDOG comes from each website customizing their own images used.
Cats and Dogs are just an example.. another example may be cars, goats, and boats.

[tjshokk46]

This only one of a few ideas.
A little coding skill and the correct browser that supports
add in modules and boom..
The below is a very MESSY idea to beat this captcha method.
I was going to originally send it to the people that created it but...
I'm sure that using more than the 30 seconds it took me to come up with this, you folks
could use it to build a more solid solution.
Peace.

--------------------------


What about a perl script preloaded with the image sizes in arrays..
One with cat image sizes, the other dogs. Sizes in bytes of course for
reliability..

The browser would be launched with system() in setting the browser
window in a certain position..

By tapping into the mouse, the program would highlight each image
one at a time.

For each image, by tapping into the browser, the image size could
then be compared to the @dog and @cat arrays ...

This could be an dumb idea but, I find it would be alot easier to do
than writing a program to parse all of the HTML and act out a similiar
process...

The fix would be to find a way to make all of the images the same size
without the program being able to tell like, avoid inserting garbage into
the images.

For the general code you're supplying, I think this would be more
than efficient.

For the customized images well, the program would only need
customized sizes.. maybe supplied through a text file or the command
line.

[tjshokk46]

In response to myself lol, to save you guys the time... No, this wouldn't work for every single attempt more than likely BUT, I do believe it'd be able to crush the 6 in a row needed.

[DanielMCMullan]

tjsokk46 is wrong.

The CAPTCHATHEDOG images are re-compressed into jpgs on the fly so the
size randomly changes (as well as other attributes) so that your suggested attack will not work.

But don?t take my word for it, see the image properties for yourself. It looks the same to humans, but looks different to bots every time you refresh it:

http://www.captchathedog.com/cgi-bin/getImage?d=8260&u=10097&s=KLOANFHITCVBPQQVOUPTPFBKFNJI&f=0

You suggest: What about a perl script preloaded with image sizes in arrays? One with cat image sizes, the other dogs. Sizes in bytes of course for reliability..

tjsokk46, I think you?re missing the point.

Note: CAPCHATHEDOG is hackable! But only once per bot.
This is why CAPTCHATHEDOG is different from all other CAPTCHAs.

If a human always has to identify the images, why rebuild a bot for
every site using a random, personalized set of images (ready to change the moment any spam gets through)?

The new bot will work only for the one website it is attacking (per new image; one spam at a time), but only once until a bot pays a human to identify the new KEY image.

It would be literally cheaper to pay a human to just post the spam, than to build a new bot for each new image posted by the site owner.

CaptchaTheDog requires a human to identify the images to get to the prize (sending a form).

tjshokk46 suggests a human could identify each image in arrays, so a computer can then come back and automatically identify the images based on their file size.

tjshokk46?s suggestion (and the fact that it won?t work) precisely illustrates how CAPTCHATHEDOG empowers many humans to beat the spambots by reducing the ?prize? to one spam for each bot built?rendering the bot highly inefficient, if not completely ineffective.

CaptchaTheDog works because humans can create new (random) images anytime, faster than spambots can be "re-taught" by hackers creating arrays.

CaptchaTheDog essentially removes the ?prize? and motivation for hackers, scoring a point for humans in the ?Humans vs. Bots Arms Race.?

[DanielMCMullan]

It would literally be cheaper to pay a human to just post spam, than to beat CAPTCHATHEDOG by building new Optical recognition software bot for each new image.